DoS Flaws Haunt BIND Server Software

WEBINAR:On-Demand

The nonprofit Internet Systems Consortium patches a pair of vulnerabilities in the popular BIND implementation of the DNS protocols.

The nonprofit Internet Systems Consortium has rolled out fixes for a pair of denial-of-service flaws in its BIND (Berkeley Internet Name Domain) implementation of the Domain Name System protocols.

The vulnerabilities were reported in BIND versions 8.4.4, 8.4.5 and 9.3.0 and carry a "moderately critical" rating from independent research firm Secunia.

BIND is by far the most popular software for mapping domain names to IP addresses on the Internet. Vulnerabilities in BIND have triggered heated debates in security circles because of the heavy dependence on the software.

The first flaw, which only affects versions 8.4.4 and 8.4.5, is a buffer overflow error in the handling of the "q_usedns" array used by the server to track name servers and addresses that have been queried.

A successful exploit could allow an attacker to crash the service, according to an advisory from the U.S. Computer Emergency Readiness Team.

The ISC has recommended that users disable recursion and glue fetching as a temporary workaround. A comprehensive fix is available in the new ISC BIND version 8.4.6.

The second flaw, which affects BIND version 9.3.0, was found in the way BIND supports the DNS Security Extensions (DNSSEC), including the NextSECure (NSEC) RDATA Format. "An incorrect assumption in the validator function authvalidated() can result in an internal consistency test failing and named exiting," US-CERT warned in a second advisory.

An attacker with the ability to craft specific DNS packets could exploit this vulnerability to trigger denial-of-service attacks.

Users are urged to disable dnssec validation at the Options/View level and upgrade to the new BIND version 9.3.1.

Check out eWEEK.com's for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.